CVE-2025-27134 Information

Description

Joplin is a free open source note taking and to-do application which can handle a large number of notes organised into notebooks. Prior to version 3.3.3 a privilege escalation vulnerability exists in the Joplin server allowing non-admin users to exploit the API endpoint PATCH /api/users/:id to set the is_admin field to 1. The vulnerability allows malicious low-privileged users to perform administrative actions without proper authorization. This issue has been patched in version 3.3.3.

Reference

https://github.com/laurent22/joplin/commit/12baa9827dac9da903f244c9f358e3deb264e228 https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x https://github.com/laurent22/joplin/security/advisories/GHSA-xj67-649m-3p8x